1 /* 2 * EFI Test Driver for Runtime Services 3 * 4 * Copyright(C) 2012-2016 Canonical Ltd. 5 * 6 * This driver exports EFI runtime services interfaces into userspace, which 7 * allow to use and test UEFI runtime services provided by firmware. 8 * 9 */ 10 11 #include <linux/miscdevice.h> 12 #include <linux/module.h> 13 #include <linux/init.h> 14 #include <linux/proc_fs.h> 15 #include <linux/efi.h> 16 #include <linux/slab.h> 17 #include <linux/uaccess.h> 18 19 #include "efi_test.h" 20 21 MODULE_AUTHOR("Ivan Hu <ivan.hu@canonical.com>"); 22 MODULE_DESCRIPTION("EFI Test Driver"); 23 MODULE_LICENSE("GPL"); 24 25 /* 26 * Count the bytes in 'str', including the terminating NULL. 27 * 28 * Note this function returns the number of *bytes*, not the number of 29 * ucs2 characters. 30 */ 31 static inline size_t user_ucs2_strsize(efi_char16_t __user *str) 32 { 33 efi_char16_t *s = str, c; 34 size_t len; 35 36 if (!str) 37 return 0; 38 39 /* Include terminating NULL */ 40 len = sizeof(efi_char16_t); 41 42 if (get_user(c, s++)) { 43 /* Can't read userspace memory for size */ 44 return 0; 45 } 46 47 while (c != 0) { 48 if (get_user(c, s++)) { 49 /* Can't read userspace memory for size */ 50 return 0; 51 } 52 len += sizeof(efi_char16_t); 53 } 54 return len; 55 } 56 57 /* 58 * Allocate a buffer and copy a ucs2 string from user space into it. 59 */ 60 static inline int 61 copy_ucs2_from_user_len(efi_char16_t **dst, efi_char16_t __user *src, 62 size_t len) 63 { 64 efi_char16_t *buf; 65 66 if (!src) { 67 *dst = NULL; 68 return 0; 69 } 70 71 if (!access_ok(VERIFY_READ, src, 1)) 72 return -EFAULT; 73 74 buf = memdup_user(src, len); 75 if (IS_ERR(buf)) { 76 *dst = NULL; 77 return PTR_ERR(buf); 78 } 79 *dst = buf; 80 81 return 0; 82 } 83 84 /* 85 * Count the bytes in 'str', including the terminating NULL. 86 * 87 * Just a wrap for user_ucs2_strsize 88 */ 89 static inline int 90 get_ucs2_strsize_from_user(efi_char16_t __user *src, size_t *len) 91 { 92 if (!access_ok(VERIFY_READ, src, 1)) 93 return -EFAULT; 94 95 *len = user_ucs2_strsize(src); 96 if (*len == 0) 97 return -EFAULT; 98 99 return 0; 100 } 101 102 /* 103 * Calculate the required buffer allocation size and copy a ucs2 string 104 * from user space into it. 105 * 106 * This function differs from copy_ucs2_from_user_len() because it 107 * calculates the size of the buffer to allocate by taking the length of 108 * the string 'src'. 109 * 110 * If a non-zero value is returned, the caller MUST NOT access 'dst'. 111 * 112 * It is the caller's responsibility to free 'dst'. 113 */ 114 static inline int 115 copy_ucs2_from_user(efi_char16_t **dst, efi_char16_t __user *src) 116 { 117 size_t len; 118 119 if (!access_ok(VERIFY_READ, src, 1)) 120 return -EFAULT; 121 122 len = user_ucs2_strsize(src); 123 if (len == 0) 124 return -EFAULT; 125 return copy_ucs2_from_user_len(dst, src, len); 126 } 127 128 /* 129 * Copy a ucs2 string to a user buffer. 130 * 131 * This function is a simple wrapper around copy_to_user() that does 132 * nothing if 'src' is NULL, which is useful for reducing the amount of 133 * NULL checking the caller has to do. 134 * 135 * 'len' specifies the number of bytes to copy. 136 */ 137 static inline int 138 copy_ucs2_to_user_len(efi_char16_t __user *dst, efi_char16_t *src, size_t len) 139 { 140 if (!src) 141 return 0; 142 143 if (!access_ok(VERIFY_WRITE, dst, 1)) 144 return -EFAULT; 145 146 return copy_to_user(dst, src, len); 147 } 148 149 static long efi_runtime_get_variable(unsigned long arg) 150 { 151 struct efi_getvariable __user *getvariable_user; 152 struct efi_getvariable getvariable; 153 unsigned long datasize = 0, prev_datasize, *dz; 154 efi_guid_t vendor_guid, *vd = NULL; 155 efi_status_t status; 156 efi_char16_t *name = NULL; 157 u32 attr, *at; 158 void *data = NULL; 159 int rv = 0; 160 161 getvariable_user = (struct efi_getvariable __user *)arg; 162 163 if (copy_from_user(&getvariable, getvariable_user, 164 sizeof(getvariable))) 165 return -EFAULT; 166 if (getvariable.data_size && 167 get_user(datasize, getvariable.data_size)) 168 return -EFAULT; 169 if (getvariable.vendor_guid) { 170 if (copy_from_user(&vendor_guid, getvariable.vendor_guid, 171 sizeof(vendor_guid))) 172 return -EFAULT; 173 vd = &vendor_guid; 174 } 175 176 if (getvariable.variable_name) { 177 rv = copy_ucs2_from_user(&name, getvariable.variable_name); 178 if (rv) 179 return rv; 180 } 181 182 at = getvariable.attributes ? &attr : NULL; 183 dz = getvariable.data_size ? &datasize : NULL; 184 185 if (getvariable.data_size && getvariable.data) { 186 data = kmalloc(datasize, GFP_KERNEL); 187 if (!data) { 188 kfree(name); 189 return -ENOMEM; 190 } 191 } 192 193 prev_datasize = datasize; 194 status = efi.get_variable(name, vd, at, dz, data); 195 kfree(name); 196 197 if (put_user(status, getvariable.status)) { 198 rv = -EFAULT; 199 goto out; 200 } 201 202 if (status != EFI_SUCCESS) { 203 if (status == EFI_BUFFER_TOO_SMALL) { 204 if (dz && put_user(datasize, getvariable.data_size)) { 205 rv = -EFAULT; 206 goto out; 207 } 208 } 209 rv = -EINVAL; 210 goto out; 211 } 212 213 if (prev_datasize < datasize) { 214 rv = -EINVAL; 215 goto out; 216 } 217 218 if (data) { 219 if (copy_to_user(getvariable.data, data, datasize)) { 220 rv = -EFAULT; 221 goto out; 222 } 223 } 224 225 if (at && put_user(attr, getvariable.attributes)) { 226 rv = -EFAULT; 227 goto out; 228 } 229 230 if (dz && put_user(datasize, getvariable.data_size)) 231 rv = -EFAULT; 232 233 out: 234 kfree(data); 235 return rv; 236 237 } 238 239 static long efi_runtime_set_variable(unsigned long arg) 240 { 241 struct efi_setvariable __user *setvariable_user; 242 struct efi_setvariable setvariable; 243 efi_guid_t vendor_guid; 244 efi_status_t status; 245 efi_char16_t *name = NULL; 246 void *data; 247 int rv = 0; 248 249 setvariable_user = (struct efi_setvariable __user *)arg; 250 251 if (copy_from_user(&setvariable, setvariable_user, sizeof(setvariable))) 252 return -EFAULT; 253 if (copy_from_user(&vendor_guid, setvariable.vendor_guid, 254 sizeof(vendor_guid))) 255 return -EFAULT; 256 257 if (setvariable.variable_name) { 258 rv = copy_ucs2_from_user(&name, setvariable.variable_name); 259 if (rv) 260 return rv; 261 } 262 263 data = memdup_user(setvariable.data, setvariable.data_size); 264 if (IS_ERR(data)) { 265 kfree(name); 266 return PTR_ERR(data); 267 } 268 269 status = efi.set_variable(name, &vendor_guid, 270 setvariable.attributes, 271 setvariable.data_size, data); 272 273 if (put_user(status, setvariable.status)) { 274 rv = -EFAULT; 275 goto out; 276 } 277 278 rv = status == EFI_SUCCESS ? 0 : -EINVAL; 279 280 out: 281 kfree(data); 282 kfree(name); 283 284 return rv; 285 } 286 287 static long efi_runtime_get_time(unsigned long arg) 288 { 289 struct efi_gettime __user *gettime_user; 290 struct efi_gettime gettime; 291 efi_status_t status; 292 efi_time_cap_t cap; 293 efi_time_t efi_time; 294 295 gettime_user = (struct efi_gettime __user *)arg; 296 if (copy_from_user(&gettime, gettime_user, sizeof(gettime))) 297 return -EFAULT; 298 299 status = efi.get_time(gettime.time ? &efi_time : NULL, 300 gettime.capabilities ? &cap : NULL); 301 302 if (put_user(status, gettime.status)) 303 return -EFAULT; 304 305 if (status != EFI_SUCCESS) 306 return -EINVAL; 307 308 if (gettime.capabilities) { 309 efi_time_cap_t __user *cap_local; 310 311 cap_local = (efi_time_cap_t *)gettime.capabilities; 312 if (put_user(cap.resolution, &(cap_local->resolution)) || 313 put_user(cap.accuracy, &(cap_local->accuracy)) || 314 put_user(cap.sets_to_zero, &(cap_local->sets_to_zero))) 315 return -EFAULT; 316 } 317 if (gettime.time) { 318 if (copy_to_user(gettime.time, &efi_time, sizeof(efi_time_t))) 319 return -EFAULT; 320 } 321 322 return 0; 323 } 324 325 static long efi_runtime_set_time(unsigned long arg) 326 { 327 struct efi_settime __user *settime_user; 328 struct efi_settime settime; 329 efi_status_t status; 330 efi_time_t efi_time; 331 332 settime_user = (struct efi_settime __user *)arg; 333 if (copy_from_user(&settime, settime_user, sizeof(settime))) 334 return -EFAULT; 335 if (copy_from_user(&efi_time, settime.time, 336 sizeof(efi_time_t))) 337 return -EFAULT; 338 status = efi.set_time(&efi_time); 339 340 if (put_user(status, settime.status)) 341 return -EFAULT; 342 343 return status == EFI_SUCCESS ? 0 : -EINVAL; 344 } 345 346 static long efi_runtime_get_waketime(unsigned long arg) 347 { 348 struct efi_getwakeuptime __user *getwakeuptime_user; 349 struct efi_getwakeuptime getwakeuptime; 350 efi_bool_t enabled, pending; 351 efi_status_t status; 352 efi_time_t efi_time; 353 354 getwakeuptime_user = (struct efi_getwakeuptime __user *)arg; 355 if (copy_from_user(&getwakeuptime, getwakeuptime_user, 356 sizeof(getwakeuptime))) 357 return -EFAULT; 358 359 status = efi.get_wakeup_time( 360 getwakeuptime.enabled ? (efi_bool_t *)&enabled : NULL, 361 getwakeuptime.pending ? (efi_bool_t *)&pending : NULL, 362 getwakeuptime.time ? &efi_time : NULL); 363 364 if (put_user(status, getwakeuptime.status)) 365 return -EFAULT; 366 367 if (status != EFI_SUCCESS) 368 return -EINVAL; 369 370 if (getwakeuptime.enabled && put_user(enabled, 371 getwakeuptime.enabled)) 372 return -EFAULT; 373 374 if (getwakeuptime.time) { 375 if (copy_to_user(getwakeuptime.time, &efi_time, 376 sizeof(efi_time_t))) 377 return -EFAULT; 378 } 379 380 return 0; 381 } 382 383 static long efi_runtime_set_waketime(unsigned long arg) 384 { 385 struct efi_setwakeuptime __user *setwakeuptime_user; 386 struct efi_setwakeuptime setwakeuptime; 387 efi_bool_t enabled; 388 efi_status_t status; 389 efi_time_t efi_time; 390 391 setwakeuptime_user = (struct efi_setwakeuptime __user *)arg; 392 393 if (copy_from_user(&setwakeuptime, setwakeuptime_user, 394 sizeof(setwakeuptime))) 395 return -EFAULT; 396 397 enabled = setwakeuptime.enabled; 398 if (setwakeuptime.time) { 399 if (copy_from_user(&efi_time, setwakeuptime.time, 400 sizeof(efi_time_t))) 401 return -EFAULT; 402 403 status = efi.set_wakeup_time(enabled, &efi_time); 404 } else 405 status = efi.set_wakeup_time(enabled, NULL); 406 407 if (put_user(status, setwakeuptime.status)) 408 return -EFAULT; 409 410 return status == EFI_SUCCESS ? 0 : -EINVAL; 411 } 412 413 static long efi_runtime_get_nextvariablename(unsigned long arg) 414 { 415 struct efi_getnextvariablename __user *getnextvariablename_user; 416 struct efi_getnextvariablename getnextvariablename; 417 unsigned long name_size, prev_name_size = 0, *ns = NULL; 418 efi_status_t status; 419 efi_guid_t *vd = NULL; 420 efi_guid_t vendor_guid; 421 efi_char16_t *name = NULL; 422 int rv = 0; 423 424 getnextvariablename_user = (struct efi_getnextvariablename __user *)arg; 425 426 if (copy_from_user(&getnextvariablename, getnextvariablename_user, 427 sizeof(getnextvariablename))) 428 return -EFAULT; 429 430 if (getnextvariablename.variable_name_size) { 431 if (get_user(name_size, getnextvariablename.variable_name_size)) 432 return -EFAULT; 433 ns = &name_size; 434 prev_name_size = name_size; 435 } 436 437 if (getnextvariablename.vendor_guid) { 438 if (copy_from_user(&vendor_guid, 439 getnextvariablename.vendor_guid, 440 sizeof(vendor_guid))) 441 return -EFAULT; 442 vd = &vendor_guid; 443 } 444 445 if (getnextvariablename.variable_name) { 446 size_t name_string_size = 0; 447 448 rv = get_ucs2_strsize_from_user( 449 getnextvariablename.variable_name, 450 &name_string_size); 451 if (rv) 452 return rv; 453 /* 454 * The name_size may be smaller than the real buffer size where 455 * variable name located in some use cases. The most typical 456 * case is passing a 0 to get the required buffer size for the 457 * 1st time call. So we need to copy the content from user 458 * space for at least the string size of variable name, or else 459 * the name passed to UEFI may not be terminated as we expected. 460 */ 461 rv = copy_ucs2_from_user_len(&name, 462 getnextvariablename.variable_name, 463 prev_name_size > name_string_size ? 464 prev_name_size : name_string_size); 465 if (rv) 466 return rv; 467 } 468 469 status = efi.get_next_variable(ns, name, vd); 470 471 if (put_user(status, getnextvariablename.status)) { 472 rv = -EFAULT; 473 goto out; 474 } 475 476 if (status != EFI_SUCCESS) { 477 if (status == EFI_BUFFER_TOO_SMALL) { 478 if (ns && put_user(*ns, 479 getnextvariablename.variable_name_size)) { 480 rv = -EFAULT; 481 goto out; 482 } 483 } 484 rv = -EINVAL; 485 goto out; 486 } 487 488 if (name) { 489 if (copy_ucs2_to_user_len(getnextvariablename.variable_name, 490 name, prev_name_size)) { 491 rv = -EFAULT; 492 goto out; 493 } 494 } 495 496 if (ns) { 497 if (put_user(*ns, getnextvariablename.variable_name_size)) { 498 rv = -EFAULT; 499 goto out; 500 } 501 } 502 503 if (vd) { 504 if (copy_to_user(getnextvariablename.vendor_guid, vd, 505 sizeof(efi_guid_t))) 506 rv = -EFAULT; 507 } 508 509 out: 510 kfree(name); 511 return rv; 512 } 513 514 static long efi_runtime_get_nexthighmonocount(unsigned long arg) 515 { 516 struct efi_getnexthighmonotoniccount __user *getnexthighmonocount_user; 517 struct efi_getnexthighmonotoniccount getnexthighmonocount; 518 efi_status_t status; 519 u32 count; 520 521 getnexthighmonocount_user = (struct 522 efi_getnexthighmonotoniccount __user *)arg; 523 524 if (copy_from_user(&getnexthighmonocount, 525 getnexthighmonocount_user, 526 sizeof(getnexthighmonocount))) 527 return -EFAULT; 528 529 status = efi.get_next_high_mono_count( 530 getnexthighmonocount.high_count ? &count : NULL); 531 532 if (put_user(status, getnexthighmonocount.status)) 533 return -EFAULT; 534 535 if (status != EFI_SUCCESS) 536 return -EINVAL; 537 538 if (getnexthighmonocount.high_count && 539 put_user(count, getnexthighmonocount.high_count)) 540 return -EFAULT; 541 542 return 0; 543 } 544 545 static long efi_runtime_query_variableinfo(unsigned long arg) 546 { 547 struct efi_queryvariableinfo __user *queryvariableinfo_user; 548 struct efi_queryvariableinfo queryvariableinfo; 549 efi_status_t status; 550 u64 max_storage, remaining, max_size; 551 552 queryvariableinfo_user = (struct efi_queryvariableinfo __user *)arg; 553 554 if (copy_from_user(&queryvariableinfo, queryvariableinfo_user, 555 sizeof(queryvariableinfo))) 556 return -EFAULT; 557 558 status = efi.query_variable_info(queryvariableinfo.attributes, 559 &max_storage, &remaining, &max_size); 560 561 if (put_user(status, queryvariableinfo.status)) 562 return -EFAULT; 563 564 if (status != EFI_SUCCESS) 565 return -EINVAL; 566 567 if (put_user(max_storage, 568 queryvariableinfo.maximum_variable_storage_size)) 569 return -EFAULT; 570 571 if (put_user(remaining, 572 queryvariableinfo.remaining_variable_storage_size)) 573 return -EFAULT; 574 575 if (put_user(max_size, queryvariableinfo.maximum_variable_size)) 576 return -EFAULT; 577 578 return 0; 579 } 580 581 static long efi_runtime_query_capsulecaps(unsigned long arg) 582 { 583 struct efi_querycapsulecapabilities __user *qcaps_user; 584 struct efi_querycapsulecapabilities qcaps; 585 efi_capsule_header_t *capsules; 586 efi_status_t status; 587 u64 max_size; 588 int i, reset_type; 589 int rv = 0; 590 591 qcaps_user = (struct efi_querycapsulecapabilities __user *)arg; 592 593 if (copy_from_user(&qcaps, qcaps_user, sizeof(qcaps))) 594 return -EFAULT; 595 596 if (qcaps.capsule_count == ULONG_MAX) 597 return -EINVAL; 598 599 capsules = kcalloc(qcaps.capsule_count + 1, 600 sizeof(efi_capsule_header_t), GFP_KERNEL); 601 if (!capsules) 602 return -ENOMEM; 603 604 for (i = 0; i < qcaps.capsule_count; i++) { 605 efi_capsule_header_t *c; 606 /* 607 * We cannot dereference qcaps.capsule_header_array directly to 608 * obtain the address of the capsule as it resides in the 609 * user space 610 */ 611 if (get_user(c, qcaps.capsule_header_array + i)) { 612 rv = -EFAULT; 613 goto out; 614 } 615 if (copy_from_user(&capsules[i], c, 616 sizeof(efi_capsule_header_t))) { 617 rv = -EFAULT; 618 goto out; 619 } 620 } 621 622 qcaps.capsule_header_array = &capsules; 623 624 status = efi.query_capsule_caps((efi_capsule_header_t **) 625 qcaps.capsule_header_array, 626 qcaps.capsule_count, 627 &max_size, &reset_type); 628 629 if (put_user(status, qcaps.status)) { 630 rv = -EFAULT; 631 goto out; 632 } 633 634 if (status != EFI_SUCCESS) { 635 rv = -EINVAL; 636 goto out; 637 } 638 639 if (put_user(max_size, qcaps.maximum_capsule_size)) { 640 rv = -EFAULT; 641 goto out; 642 } 643 644 if (put_user(reset_type, qcaps.reset_type)) 645 rv = -EFAULT; 646 647 out: 648 kfree(capsules); 649 return rv; 650 } 651 652 static long efi_test_ioctl(struct file *file, unsigned int cmd, 653 unsigned long arg) 654 { 655 switch (cmd) { 656 case EFI_RUNTIME_GET_VARIABLE: 657 return efi_runtime_get_variable(arg); 658 659 case EFI_RUNTIME_SET_VARIABLE: 660 return efi_runtime_set_variable(arg); 661 662 case EFI_RUNTIME_GET_TIME: 663 return efi_runtime_get_time(arg); 664 665 case EFI_RUNTIME_SET_TIME: 666 return efi_runtime_set_time(arg); 667 668 case EFI_RUNTIME_GET_WAKETIME: 669 return efi_runtime_get_waketime(arg); 670 671 case EFI_RUNTIME_SET_WAKETIME: 672 return efi_runtime_set_waketime(arg); 673 674 case EFI_RUNTIME_GET_NEXTVARIABLENAME: 675 return efi_runtime_get_nextvariablename(arg); 676 677 case EFI_RUNTIME_GET_NEXTHIGHMONOTONICCOUNT: 678 return efi_runtime_get_nexthighmonocount(arg); 679 680 case EFI_RUNTIME_QUERY_VARIABLEINFO: 681 return efi_runtime_query_variableinfo(arg); 682 683 case EFI_RUNTIME_QUERY_CAPSULECAPABILITIES: 684 return efi_runtime_query_capsulecaps(arg); 685 } 686 687 return -ENOTTY; 688 } 689 690 static int efi_test_open(struct inode *inode, struct file *file) 691 { 692 /* 693 * nothing special to do here 694 * We do accept multiple open files at the same time as we 695 * synchronize on the per call operation. 696 */ 697 return 0; 698 } 699 700 static int efi_test_close(struct inode *inode, struct file *file) 701 { 702 return 0; 703 } 704 705 /* 706 * The various file operations we support. 707 */ 708 static const struct file_operations efi_test_fops = { 709 .owner = THIS_MODULE, 710 .unlocked_ioctl = efi_test_ioctl, 711 .open = efi_test_open, 712 .release = efi_test_close, 713 .llseek = no_llseek, 714 }; 715 716 static struct miscdevice efi_test_dev = { 717 MISC_DYNAMIC_MINOR, 718 "efi_test", 719 &efi_test_fops 720 }; 721 722 static int __init efi_test_init(void) 723 { 724 int ret; 725 726 ret = misc_register(&efi_test_dev); 727 if (ret) { 728 pr_err("efi_test: can't misc_register on minor=%d\n", 729 MISC_DYNAMIC_MINOR); 730 return ret; 731 } 732 733 return 0; 734 } 735 736 static void __exit efi_test_exit(void) 737 { 738 misc_deregister(&efi_test_dev); 739 } 740 741 module_init(efi_test_init); 742 module_exit(efi_test_exit); 743